There are some pretty important security updates. For example, this month there is a security update for Photoshop CS3 and CS2 running on Mac and Windows. Also, Flash Player 9.0.45.0 and earlier, 8.0.34.0 and earlier, and 7.0.69.0 and earlier on Windows and Mac.

That's the problem with buffer overrun vulnerabilities (assuming that's what the PshopPNG problem is). You'd think it's just some innocent data, but let it land someplace where it doesnt' belong and oopsie, it's code.

That's the problem with buffer overrun vulnerabilities (assuming that's what the PshopPNG problem is). You'd think it's just some innocent data, but let it land someplace where it doesnt' belong and oopsie, it's code.

No. I've got it. Don't yet have a computer that will run it, but I bought XP so late, I got Vista for shipping. Mind, I don't have a computer to put XP on either.<ggg>

Quote:

Steve: I'm not sure Ye Average User has a clue what the different colors mean. Or notices that the natters come in colors.

Have you memorized the nation's alert level colors? I think there are two -- orange and yellow. They say there are five, don't they? <BG>

Quote:

Steve: Or at least I think it's this one. With Flash disabled, I can't see moviesquat. <g>

ROFL. Know what you mean. Even when I enable it, I have problems. With dialup I have to be really sick of working on the computer to watch anything on youtube. I remember this one. It was one of my favorites, too.

Location: some room with white padded walls ... now surrounded by Saguaro Cacti

Posts: 352

Quote:

Originally Posted by Andrew B.

I never would have guessed that a PNG opened in Photoshop (and only Photoshop) can compromise a computer.

Any data that is blindly read (typically but not necessarily from an unverifiable source) can. ...and in any process or kernel extension (driver). Someone just found this particular instance.

Unfortunately, the rapid pace of development combined with use of languages/tools who's default behavior is to allow blind writes to memory (C, C++ and many others) leads sloppy development teams to create thousands upon thousands of vulnerabilities in essentially every application on your system (let alone the system itself). That said, given the current system landscape (Windows XP, OS X, Linux) a compromised application can generally only do what your user can do. If the user is prohibited from administrative activities (and the application has been installed to run with those credentials ... the Task Manager will tell you) the application will be too.

You can limit your exposure to buffer overruns on Windows running newer hardware by doing the following:

If, you find that enabling DEP leads to any process (application) crash you have encountered a buffer overrun. If you can repeat the condition and cause/stop it from occurring via enabling/disabling DEP call the vendor and provide them the steps you've found that recreate the condition. There software has a DEFECT in it. If you called me (an developer) and gave me this type of information I would have no case to deny that you have found a defect (because you have and any engineer worthy of the title will know it).